Configuring ACE Appliance Ethernet Interfaces

Note The information in this chapter applies to the ACE appliance only. The ACE appliance supports IPv6 or IPv4 for all the features described in this chapter unless otherwise noted.

The ACE appliance provides physical Ethernet ports that allow you to connect servers, PCs, routers, and other devices to the ACE appliance. The ACE appliance supports four Layer 2 Ethernet ports for Layer 2 switching.

You can configure the ACE appliance's four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiate, full-duplex, or half-duplex operation on an Ethernet LAN and can have traffic within a designated VLAN.

A Layer 2 Ethernet port can be configured as follows:

•Member of Port-Channel Group—Associates a physical port on the ACE appliance to a logical port to create a port-channel logical interface. The VLAN association is derived from the port-channel configuration. The port is configured as a Layer 2 EtherChannel, where each EtherChannel bundles the individual physical Ethernet ports into a single logical link that provides the aggregate bandwidth of up to four physical links on the ACE appliance.

•Access VLAN—Provides a connection for end users or node devices, such as a router or server. The access VLAN port is assigned to a single VLAN.

•Trunk port—Allocates VLANs to ports and passes VLAN information (including VLAN identification) between switches for all Ethernet channels defined in a Layer 2 Ethernet port or a Layer 2 EtherChannel (port-channel) group on the ACE appliance. The port is associated with IEEE 802.1Q encapsulation-based VLAN trunking.

This chapter describes how to configure the Ethernet ports on the ACE appliance. It contains the following major sections:

After you configure the Ethernet ports on the ACE appliance and allocate VLANs to configured Ethernet ports, you create the corresponding VLAN interfaces on the ACE appliance as described in Chapter 3, Configuring VLAN Interfaces.

Ethernet Interface Configuration Quick Start

Table 1-1 provides a quick overview of the steps required to configure Ethernet interface ports on the ACE appliance. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 1-1.

Table 1-1 Ethernet Interface Configuration Quick Start

Task and Command Example

1. Enter global configuration mode.

host1/Admin# config

host1/Admin(config)#

2. Configure a Layer 2 Ethernet port on the ACE appliance. You enter the interface mode.

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)#

Note Only users authenticated in the Admin context can use the interface gigabitEthernetcommand.

3. (Optional) Add a description about the Ethernet port to help you remember its function.

4. Configure the interface duplex and speed (the default is autonegotiate).

host1/Admin(config-if)# speed 1000M

host1/Admin(config-if)# duplex full

5. If you are using your ACE appliance in a redundancy configuration, configure one of the Ethernet ports on the ACE appliance for fault tolerance using a dedicated fault-tolerant (FT) VLAN for communication between the members of an FT group.

host1/Admin(config-if)# ft-port vlan 60

Note You may configure a port-channel interface on the ACE appliance for fault tolerance instead of an Ethernet port (see Table 1-2).

6. (Optional) Add a configurable delay at the physical port level to address any issues with transition time, based on the variety of peers.

Table 1-2 provides a quick overview of the steps required to configure an Ethernet interface port on the ACE appliance as a Layer 2 EtherChannel (port channel). Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 1-2.

Table 1-2 EtherChannel (Port Channel) Configuration Quick Start

Task and Command Example

1. Enter global configuration mode.

host1/Admin# config

host1/Admin(config)#

2. (Optional) Create a port-channel interface to group physical ports together on the ACE appliance to form an EtherChannel.

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)#

Note Only users authenticated in the Admin context can use the interface port-channel command.

3. (Optional) Add a description about a port-channel interface to help you remember its function.

host1/Admin(config-if)# description A port-channel interface with
a channel number of 255

4. If you are using your ACE appliance in a redundancy configuration, configure a port-channel interface on the ACE appliance for fault tolerance using a dedicated fault-tolerant (FT) VLAN for communication between the members of an FT group.

host1/Admin(config-if)# ft-port vlan 60

Note You may configure an Ethernet interface on the ACE appliance for fault tolerance instead of a port-channel interface (see Table 1-1).

5. (Optional) Set the load-distribution method among the ports in the EtherChannel bundle. For example, to configure an EtherChannel to balance the traffic load across the links using source or destination IP addresses, enter:

host1/Admin(config-if)# port-channel load-balance src-dst-ip

6. (Optional) Enable the port-channel interface to put the interface in the Up administrative state.

host1/Admin(config-if)# no shutdown

host1/Admin(config-if)# exit

host1/Admin(config)#

7. (Optional) Assign an access port to a specific VLAN for the Layer 2 port-channel interface. For example, to specify VLAN 101 as an access port for port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# switchport access vlan 101

Note If you assign a VLAN as the access port for a specific port-channel interface, the VLAN is reserved and cannot be configured for a VLAN trunk.

8. Selectively allocate individual VLANs to a trunk link. For example, to add VLANs 200 and 266 to the defined list of VLANs currently set for port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# switchport trunk allowed vlan 200,266

Note When allocating VLANs to ports, overlapping is not allowed. For example, if VLAN 200 is associated with port-channel 255 you cannot associate VLAN 200 with another Ethernet port or port channel.

9. (Optional) Set the 802.1Q native VLAN for a trunk. For example, to specify VLAN 266 as the 802.1Q native VLAN for the trunk, enter:

Configuring a Layer 2 Ethernet Port

Four Ethernet ports allow you to connect servers, PCs, routers, and other devices to the ACE appliance. You can configure the four Ethernet ports to provide an interface for connecting to 10-Mbps, 100-Mbps, or 1000-Mbps networks. Each Layer 2 Ethernet port supports autonegotiation (default), full-duplex, or half-duplex operation on an Ethernet LAN and can have traffic within a designated VLAN.

To configure a Layer 2 Ethernet port on the ACE appliance, use the interface gigabitEthernet command in configuration mode. The ACE appliance enters the interface configuration mode. Only users authenticated in the Admin context can use the interface gigabitEthernetcommand.

The syntax for the command is as follows:

interfacegigabitEthernet slot_number/port_number

The keywords, arguments, and options are as follows:

•slot_number—Physical slot on the ACE appliance containing the Ethernet ports. This selection is always 1, which is the location of the daughter card in the ACE appliance. The daughter card includes the four Layer 2 Ethernet ports that allow you to perform Layer 2 switching.

•port_number—Physical Ethernet port on the ACE appliance. Valid selections are from 1 through 4, which allow you to specify one of the four Ethernet ports (1, 2, 3, or 4) associated with the slot 1 (daughter card) selection.

Configuring the Ethernet Interface Speed and Duplex Mode

By default, the ACE appliance automatically uses the autonegotiate setting for Ethernet port speed and duplex mode parameters to allow the ACE appliance to negotiate the speed and duplex mode between ports. If you manually configure the port speed and duplex modes, follow these guidelines:

•The ACE appliance prevents you from making a duplex setting when you configure the speed of an Ethernet port to auto. You can configure the speed command with a setting of 10, 100, or 1000 Mbps to configure duplex mode for the Ethernet port.

•If you configure an Ethernet port speed to a value other than auto (for example, 10, 100, or 1000 Mbps), ensure that you configure the connecting port to match. Do not configure the connecting port to negotiate the speed through the auto keyword.

•The ports on both ends of a link must have the same setting. The link will not come up if the ports at each end of the connecting interface has a different setting. For example, if you configure the Ethernet port speed and duplex setting to a setting of 10, 100, or 1000 Mbps on one side of a link, you must configure the matching speed and duplex on the other side of the link to ensure proper communication.

•If you enter the no speed command, the ACE appliance automatically configures both the speed and duplex settings to auto.

The ACE appliance cannot automatically negotiate the interface speed and duplex mode if either connecting interface is configured to a value other than auto.

Caution Changing the Ethernet port speed and duplex mode configuration may shut down and reenable the interface during the reconfiguration.

Configuring the Ethernet Interface Speed

You can configure the Ethernet port speed for a setting of 10, 100, or 1000 Mbps. Use the speed command in interface configuration mode to configure the port speed. The default speed for an ACE appliance interface is autonegotiate.

The syntax for the command is as follows:

speed{1000M |100M |10M |auto}

The keywords, arguments, and options are as follows:

•1000M—Initiates 1000 Mbps operation.

•100M—Initiates 100 Mbps operation.

•10M—Initiates 10 Mbps operation.

•auto—Enables the ACE appliance to autonegotiate with other devices for speeds of 10, 100, or 1000 Mbps. If you set the Ethernet port speed to auto, the ACE appliance automatically sets the duplex mode to auto; auto is the default setting.

Note If you configure the Ethernet port speed to auto, the ACE appliance automatically sets the duplex mode to auto.

For example, to set the speed to 1000 Mbps on Ethernet port 3, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# speed 1000M

To restore the default setting of autonegotiate for an Ethernet port, enter:

host1/Admin(config-if)# no speed

Note If you enter the no speed command, the ACE appliance automatically configures both the speed and duplex settings to autonegotiate.

Setting the Interface Duplex Mode

To configure an Ethernet port for full or half duplex operation, use the duplex command in interface configuration mode. The default configuration for an ACE appliance interface is autonegotiate.

Note If you configure the Ethernet port speed to auto on a 10/100/1000-Mbps Ethernet port, both speed and duplex are autonegotiated. You cannot change the duplex mode of autonegotiation ports.

The syntax for the command is as follows:

duplex{full | half}

The keywords, arguments, and options are as follows:

•full—Configures the specified Ethernet port for full-duplex operation, which allows data to travel in both directions at the same time.

•half—Configures the specified Ethernet port for half-duplex operation. A half-duplex setting ensures that data only travels in one direction at any given time.

For example, to set the duplex mode to full on Ethernet port 3, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# duplex full

To restore the default setting of autonegotiate for an Ethernet port, enter:

host1/Admin(config-if)# no duplex

Designating an Ethernet Port as an FT VLAN Port

Peer ACE appliances can communicate with each other over a dedicated fault-tolerant (FT) VLAN. These redundant peers use an FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. To configure one of the Ethernet ports on the ACE appliance for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode.

Note When you specify the ft-port vlan command, the ACE appliance modifies the associated Ethernet port to a trunk port.

On both peer ACE appliances, you must configure the same Ethernet port as the FT VLAN port. For example, if you configure ACE appliance 1 to use Ethernet port 4 as the FT VLAN port, then be sure to configure ACE appliance 2 to use Ethernet port 4 as the FT VLAN port.

For details on configuring redundant ACE appliances, including an FT VLAN, see the Administration Guide, Cisco ACE Application Control Engine.

The syntax for this command is as follows:

ft-port vlannumber

The number argument specifies a unique identifier for the FT VLAN. Valid values are from 2 to 4094.

Note You do not need to create an FT VLAN before you designate an Ethernet port as the FT VLAN port.

Configuring a Delay at the Physical Port Level

If you connect an ACE appliance to a Catalyst 6500 series switch, your configuration on the Catalyst may include the Spanning Tree Protocol (STP). However, the ACE appliance does not support STP. In this case, you may find that the Layer 2 convergence time is much longer than the physical port up time. For example, the physical port would normally be up within 3 seconds, but STP moving to the forward state may need approximately 30 seconds. During this transitional time, although the ACE appliance declares the port to be up, the traffic will not pass.

To add a configurable delay at the physical port level to address this transition time, based on the variety of peers, use the carrier-delay command.

For example, to add a configurable delay of 60 seconds at the physical port level for Ethernet port 3, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# carrier-delay 60

To remove the carrier delay for the Ethernet port, enter:

host1/Admin(config-if)# no carrier-delay 60

Configuring an Ethernet Port in a Port-Channel Group

You can group physical ports together on the ACE appliance to form an EtherChannel (or port channel). When configuring Layer 2 EtherChannels, you map the physical Ethernet port to a port channel using the channel-group command. This command configures the Ethernet port in a port-channel group and automatically creates the port-channel logical interface.

Note You do not need to configure a port-channel interface before you assign a physical Ethernet port to a channel group through the channel-group command. A port-channel interface is created automatically when the channel group receives its first physical interface, if it is not already created.

The syntax for the command is as follows:

channel-groupchannel_number

The channel_number argument specifies the channel number assigned to this channel group. Valid values are from 1 to 255.

For example, to create a channel group with a channel number of 255, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# channel-group 255

To remove the channel group assigned to the Ethernet port, enter:

host1/Admin(config-if)# no channel-group 255

Enabling Quality of Service for a Port

By default, Quality of Service (QoS) is disabled for each physical Ethernet port on the ACE appliance. You can enable QoS for a configured physical Ethernet port that is based on VLAN Class of Service (CoS) bits (priority bits that segment the traffic in eight different classes of service). If a VLAN header is present, the CoS bits are used by the ACE appliance to map frames into class queues. If the frame is untagged, it falls back to a default port QoS level for mapping.

Note QoS is configurable only for a physical Ethernet port and is not VLAN interface-based.

When you enable QoS on a port (a trusted port), traffic is mapped into different ingress queues based on their VLAN CoS bits. If there are no VLAN CoS bits, or QoS is not enabled on the port (untrusted port), the traffic is then mapped into the lowest priority queue.

Enabling or Disabling the Ethernet Interface

By default, when you configure an interface it remains in the shutdown state (administratively down) until you enable the interface.

•To enable an Ethernet port, use the no shutdown command in interface configuration mode. This action puts the interface in the Up administrative state.

•To disable an Ethernet port, use the shutdown command in interface configuration mode. This action puts the interface in the Down administrative state.

For example, to enable Ethernet port 3, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# no shutdown

To disable Ethernet port 3, enter:

host1/Admin(config)# interface gigabitEthernet 1/3

host1/Admin(config-if)# shutdown

To check if an interface is disabled, enter the show interface gigabitEthernet command in Exec mode. An interface that has been shut down is shown as administratively down in the show interface gigabitEthernet command display. See the "Specifying the 802.1Q Native VLAN For a Trunk" section for details.

Configuring Layer 2 EtherChannels

An EtherChannel bundles individual Layer 2 Ethernet physical ports into a single logical link that provides the aggregate bandwidth of up to four physical links on the ACE appliance. The EtherChannel provides full-duplex bandwidth up to 4000-Mbps between the ACE appliance and another switch (for example, a Cisco Catalyst 6500 series switch). Ports in an EtherChannel do not have to be contiguous; however, all ports in each EtherChannel must operate at the same speed.

Note The Catalyst 6500 series switch uses a proprietary protocol called Port Aggregation Protocol (PAgP). The IEEE later defined within 802.3ad, a new control protocol for link aggregation called Link Aggregate Control Protocol (LACP). The ACE appliance does not use either protocol. If you intend to configure Layer 2 EtherChannel bundles between an ACE appliance and a Catalyst 6500 series switch, all ports in the bundle must be statically assigned at both ends. See the "Example of a Port-Channel Configuration" section for details.

To create the EtherChannel interface, use the interface port-channel command in interface configuration mode. You can base the load-balance policy (frame distribution) on a MAC address (Layer 2), an IP address (Layer 3), or a port number (Layer 4).

Note Only users authenticated in the Admin context can use the interface port-channel command.

The EtherChannel interface (consisting of up to four Ethernet interfaces) is treated as a single interface, which is called a port channel. You configure an EtherChannel on the port-channel interface rather than on the individual member Ethernet interfaces. Each EtherChannel has a numbered port-channel interface, numbered from 1 to 255. After you configure an EtherChannel, the configuration that you apply to the assigned Ethernet ports in the port-channel group affects only those Ethernet ports.

Note You do not need to configure a port-channel interface before you assign a physical Ethernet port to a channel group through the channel-group command. A port-channel interface is created automatically when the channel group receives its first physical interface, if it is not already created.

To change the parameters of all ports in an EtherChannel, apply the configuration commands to the port-channel interface to configure a Layer 2 EtherChannel as a trunk.

In addition, you can configure EtherChannels as trunks (see Chapter 3, Configuring VLAN Interfaces). After a port channel is formed, configuring any port in the channel as a trunk applies the configuration to all ports in the EtherChannel.

Note If you disable a port in a channel, it is treated as a link failure and its traffic is transferred to one or more of the remaining ports in the channel.

You can also configure EtherChannels using the following CLI commands in interface mode:

•Use the switchport access vlan command to configure an access port to a specific VLAN for the Layer 2 EtherChannel interface. See the "Configuring a VLAN Access Port" section.

Configuring a Port-Channel Interface

You can group physical ports together on the ACE appliance to form an EtherChannel (or port channel). All the ports that belong to the same port channel must be configured with the same values; for example, port parameters, VLAN membership, or trunk configuration. Only one port channel in a channel group is allowed, and a physical port can belong to a single port-channel interface only.

Note If you use SNMP to query the ACE, be aware that the SNMP OID ifHighSpeed is not supported for an interface configured as a port channel. An SNMP request for ifHighSpeed on a port channel interface will return a value of zero (0).

To create a port-channel interface, use the interface port-channel command. Only users authenticated in the Admin context can use this command.

The syntax for the command is as follows:

interface port-channelchannel_number

The channel_number argument specifies the channel number assigned to this port-channel interface. Valid values are from 1 to 255.

For example, to create a port-channel interface with a channel number of 255, enter:

host1/Admin(config)# interface port-channel 255

Adding a Description for a Port Channel

You can add a description about a port-channel interface to help you remember its function. The port-channel interface description appears in the output of the show running-configand show interfaces commands in Exec mode.

The syntax for the command is as follows:

descriptiontext

Use the text argument to enter an unquoted text string with a maximum of 240 alphanumeric characters.

For example, to add a description for port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# description A port-channel interface with a
channel number of 255

To remove the port-channel description, enter:

host1/Admin(config-if)# no description

Designating a Port-Channel Interface as an FT VLAN Interface

Peer ACE appliances can communicate with each other over a dedicated fault-tolerant (FT) VLAN. These redundant peers use an FT VLAN to transmit and receive heartbeat packets and state and configuration replication packets. To configure a port-channel interface on the ACE appliance for fault tolerance using a dedicated FT VLAN for communication between the members of an FT group, use the ft-port vlan command in interface configuration mode.

Note When you specify the ft-port vlan command, the ACE appliance modifies the associated port-channel interface to a trunk port.

On both peer ACE appliances, you must configure the same port-channel interface as the FT VLAN. For example, if you configure ACE appliance 1 to use port-channel interface 255 as the FT VLAN port, you must configure ACE appliance 2 to use port-channel interface 255 as the FT VLAN.

For details on configuring redundant ACE appliances, including an FT VLAN, see the Administration Guide, Cisco ACE Application Control Engine.

The syntax for this command is as follows:

ft-port vlannumber

The number argument specifies a unique identifier for the FT VLAN. Valid values are from 2 to 4094.

Note You do not need to create an FT VLAN before you designate a port-channel interface as the FT VLAN port.

Configuring Port-Channel Load Balancing

An EtherChannel can balance the traffic load across the links in the designated port channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. Port-channel load balancing can use MAC addresses or IP addresses, Layer 4 port numbers, source addresses, destination addresses, or both source and destination addresses. Addresses can be either IPv4 or IPv6.

Use the option that provides the load-balance criteria with the greatest variety in your configuration. For example, if the traffic on an EtherChannel is going to a single MAC address only and you use the destination MAC address as the basis of EtherChannel load balancing, the EtherChannel always chooses the same link in the EtherChannel.

To set the load-distribution method among the ports in the EtherChannel bundle, use the port-channel load-balance command.

•src-dst-ip—Loads the distribution on the source or destination IP address

•src-dst-mac—Loads the distribution on the source or destination MAC address

•src-dst-port—Loads the distribution on the source or destination port

•src-ip—Loads the distribution on the source IP address

•src-mac—Loads the distribution on the source MAC address

•src-port—Loads the distribution on the TCP or UDP source port

For example, to configure an EtherChannel to balance the traffic load across the links using source or destination IP addresses, enter:

host1/Admin(config)# interface gigabitEthernet 1/1

host1/Admin(config-if)# port-channel load-balance src-dst-ip

Enabling or Disabling a Port-Channel Interface

By default, when you configure a port-channel interface it remains in the shutdown state (administratively down) until you enable the interface.

•To enable a port-channel interface, use the no shutdown command in interface configuration mode. This action puts the interface in the Up administrative state.

•To disable a port-channel interface, use the shutdown command in interface configuration mode. This action puts the interface in the Down administrative state.

For example, to enable port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# no shutdown

For example, to disable port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# shutdown

Example of a Port-Channel Configuration

The following configuration example shows the commands required on both the ACE appliance and the Catalyst 6500 series switch to configure a port channel.

ACE Appliance Configuration

interface g1/1

channel-group 1

no shutdown

interface g1/2

channel-group 1

no shutdown

interface po 1

switchport allowed vlan 10-1000

no shutdown

Catalyst 6500 Series Switch Configuration

interface g9/37

channel-group 1 mode on

no shutdown

interface g9/38

channel-group 1 mode on

no shutdown

interface po 1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-1000

switchport mode trunk

no shutdown

Configuring a VLAN Access Port

On the ACE appliance, a port that is assigned to a single VLAN is referred to as a VLAN access port and provides a connection for end users or node devices, such as a router or server. By default, all devices are assigned to VLAN 1, known as the default VLAN. To configure an access port to a specific VLAN for either an Ethernet interface or a Layer 2 port-channel interface, use the switchport access vlan command in interface configuration mode.

Note You do not need to create a VLAN interface before you configure an access VLAN. To configure a VLAN interface and access its mode to configure its attributes, use the interface vlan command in configuration mode for the context. See Chapter 3, Configuring VLAN Interfaces, for details.

When you assign a VLAN for a specific Ethernet port or port-channel interface, the VLAN is reserved and cannot be configured for a VLAN trunk (see the "Configuring VLAN Trunks" section). A VLAN access port and a VLAN trunk cannot coexist for the same Ethernet port or port-channel interface. If you specify both configurations for the same Ethernet port or port-channel interface, the most recent configuration will overwrite the older configuration.

Note If you have QoS enabled for a physical Ethernet port (see the "Enabling Quality of Service for a Port" section) that has been designated as an FT VLAN port (see the "Designating an Ethernet Port as an FT VLAN Port" section), do not configure this Ethernet port as a VLAN access port. In this configuration, the QoS setting for redundancy traffic, such as heartbeat packets or TCP tracking probes, may not be handled properly by the ACE appliance and FT traffic may be dropped when there is network congestion.

The syntax is as follows:

switchport access vlannumber

The number argument specifies the VLAN number that you want to configure as the 802.1Q native VLAN when operating in trunking mode. Valid values are from 1 to 4094. The default is VLAN 1.

For example, to configure VLAN 101 as an access port for Ethernet port 4, enter:

host1/Admin(config)# interface gigabitEthernet 1/4

host1/Admin(config-if)# switchport access vlan 101

For example, to configure VLAN 101 as an access port for port-channel interface 255, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# switchport access vlan 101

To reset the access mode to the default VLAN 1, enter:

host1/Admin(config)# interface gigabitEthernet 1/4

host1/Admin(config-if)# no switchport access vlan 101

Configuring VLAN Trunks

You can use trunk links to pass VLAN information (including VLAN identification) between switches for all Ethernet channels defined in a Layer 2 Ethernet port or a Layer 2 EtherChannel (port-channel) group on the ACE appliance. By default, a trunk port is a member of all VLANs that exist on the ACE appliance and carries traffic for those VLANs as they pass between the switches. To distinguish between the traffic flows, a trunk port marks the frames with special tags.

You must enable trunking on both sides of a link. If two switches are connected together, you must configure both switch ports for trunking and with the same tagging mechanism.

The ACE appliance supports 802.1Q encapsulation-based VLAN trunking. The 802.1Q interconnects VLANs between multiple switches, routers, and servers. With 802.1Q, you can define a VLAN topology that spans multiple physical devices. In addition, the ACE appliance supports 802.1Q for Gigabit Ethernet interfaces. An 802.1Q trunk link provides VLAN identification by adding a 2-byte tag to an Ethernet Frame as it leaves a trunk port.

Ports configured in trunk mode can have traffic in more than one VLAN based on the trunk-allowed VLAN list configuration.

Note You can configure a trunk on a single Ethernet port or on an EtherChannel.

Follow these configuration guidelines and restrictions when you use VLAN trunks with the ACE appliance:

•If you configure a VLAN on a trunk, you cannot configure the VLAN as the access port for a specific Ethernet port or port-channel interface (see the "Configuring a VLAN Access Port" section). A VLAN access port and a VLAN trunk cannot coexist for the same Ethernet port or port-channel interface. If you specify both configurations for the same Ethernet port or port-channel interface, the most recent configuration will overwrite the older configuration.

•When allocating VLANs to ports, overlapping is not allowed. For example, if VLAN 10 is associated with Ethernet port 1 (or with port-channel interface 255), you cannot associate VLAN 10 with another Ethernet port or port channel.

•You do not need to create a VLAN interface before you allocate a VLAN to an Ethernet port or a port-channel interface. To configure a VLAN interface and access its mode to configure its attributes, use the interface vlan command in configuration mode for the context. See Chapter 3, Configuring VLAN Interfacesfor details.

•When connecting a Cisco switch through an 802.1Q trunk, make sure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link. If the native VLAN on one end of the trunk is different from the native VLAN on the other end, spanning tree loops might result.

•When you connect two Cisco switches through 802.1Q trunks, the switches exchange spanning tree Bridge Protocol Data Units (BPDUs) on each VLAN allowed on the trunks. The BPDUs on the native VLAN of the trunk are sent untagged to the reserved 802.1D spanning-tree multicast MAC address (01-80-C2-00-00-00). The BPDUs on all other VLANs on the trunk are sent tagged to the reserved Cisco Shared Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd).

•Non-Cisco 802.1Q switches maintain only a single instance of spanning-tree (the Mono Spanning Tree, or MST) that defines the spanning-tree topology for all VLANs. When you connect a Cisco switch to a non-Cisco switch through an 802.1Q trunk, the MST of the non-Cisco switch and the native VLAN spanning tree of the Cisco switch combine to form a single spanning-tree topology known as the Common Spanning Tree (CST).

•Because Cisco switches transmit BPDUs to the SSTP multicast MAC address on VLANs other than the native VLAN of the trunk, non-Cisco switches do not recognize these frames as BPDUs and flood them on all ports in the corresponding VLAN. Other Cisco switches connected to the non-Cisco 802.1Q cloud receive these flooded BPDUs, which allows them to maintain a per-VLAN spanning-tree topology across a cloud of non-Cisco 802.1Q switches. The non-Cisco 802.1Q cloud that separates the Cisco switches is treated as a single broadcast segment between all switches connected to the non-Cisco 802.1Q cloud through 802.1Q trunks.

•Ensure that the native VLAN is the same on all of the 802.1Q trunks that connect the Cisco switches to the non-Cisco 802.1Q cloud.

Allocating an Ethernet Port or Port-Channel Interface to a VLAN Trunk

You can selectively allocate individual VLANs associated with an Ethernet port or a port-channel interface to a VLAN trunk link. Note that all added VLANs are active on a trunk link, and, as long as the VLAN is available for use, traffic for that VLAN is carried across the trunk link. To specify which VLANs are to be allocated to a trunk link, use the switchport trunk allowed vlan command in interface configuration mode.

To remove a VLAN from the trunk link, use the no form of the command.

Note You do not need to create a VLAN interface before you allocate a VLAN to an Ethernet port or port-channel interface. To configure a VLAN interface and access its mode to configure its attributes, use the interface vlan command in configuration mode for the context. See Chapter 3, Configuring VLAN Interfacesfor details.

The syntax is as follows:

switchport trunk allowed vlan vlan_list

The vlan_list argument specifies the allowed VLANs that transmit this Ethernet interface in tagged format when in trunking mode. The vlan_list argument can be one of the following:

•Single VLAN number

•Range of VLAN numbers separated by a hyphen

•Specific VLAN numbers separated by commas

Valid entries are from 1 through 4094. Do not enter any spaces between the dash-specified ranges or the comma-separated numbers in the vlan_list argument.

For example, to add VLANs 101, 201, and 250 through 260 to the defined list of VLANs currently set for Ethernet port 4, enter:

host1/Admin(config)# interface gigabitEthernet 1/4

host1/Admin(config-if)# switchport trunk allowed vlan 101,201,250-260

To remove VLANs 101 through 499 from the defined list of VLANs currently set for Ethernet port 4, enter:

host1/Admin(config)# interface gigabitEthernet 1/4

host1/Admin(config-if)# noswitchport trunk allowed vlan 101-499

Completing the VLAN Trunking Configuration

By default, when you configure VLAN trunking, the interface is in the shutdown state (administratively down) until you enable it as follows:

•To enable VLAN trunking in a Layer 2 Ethernet port or port-channel interface, use the no shutdown command in interface configuration mode. This action puts the interface in the Up administrative state.

•To disable VLAN trunking, use the shutdown command in interface configuration mode. This action puts the interface in the Down administrative state.

For example, to enable VLAN trunking for Ethernet port 4, enter:

host1/Admin(config)# interface gigabitEthernet 1/4

host1/Admin(config-if)# switchport trunk allowed vlan 101,201,250-260

host1/Admin(config-if)# no shutdown

For example, to disable VLAN trunking for an interface, enter:

host1/Admin(config-if)# switchport trunk allowed vlan 101,201,250-260

host1/Admin(config-if)# shutdown

Specifying the 802.1Q Native VLAN For a Trunk

On an 802.1Q trunk port, the ACE appliance tags all transmitted and received frames except for those frames configured as the native VLAN for the trunk. Frames on the native VLAN are always transmitted untagged and are normally received untagged.

When configuring 802.1Q trunking, you must match the native VLAN across the link. Because the native VLAN is untagged, the native VLAN must match on both sides of the trunk link for 802.1Q; otherwise, the link will not work.

To set the 802.1Q native VLAN for a trunk, use the switchport trunk native vlan command in interface configuration mode.You can only have one assigned native VLAN.

Note If you have QoS enabled for a physical Ethernet port (see the "Enabling Quality of Service for a Port" section) that has been designated as an FT VLAN port (see the "Designating an Ethernet Port as an FT VLAN Port" section), do not configure the FT VLAN as an 802.1Q native VLAN. In this configuration, the QoS setting for redundancy traffic, such as heartbeat packets or TCP tracking probes, may not be handled properly by the ACE appliance and FT traffic may be dropped when there is network congestion.

You do not need to create a VLAN interface to set the 802.1Q native VLAN for a trunk. To configure a VLAN interface and access its mode to configure its attributes, use the interface vlan command in configuration mode for the context. See Chapter 3, Configuring VLAN Interfacesfor details.

The syntax is as follows:

switchport trunk native vlannumber

The number argument specifies the VLAN number that you want to configure as the 802.1Q native VLAN when operating in trunking mode. Valid values are from 1 to 4094. The default is VLAN 1.

For example, to specify VLAN 3 as the 802.1Q native VLAN for the trunk, enter:

host1/Admin(config)# interface port-channel 255

host1/Admin(config-if)# switchport trunk native vlan 3

To revert to the default of VLAN 1, enter:

host1/Admin(config-if)# no switchport trunk native vlan

Displaying Ethernet Interface Configuration, Status, and Statistics

Use the show interface command in Exec mode to display the following:

•Configuration information and counter statistics for an Ethernet port

•Configuration information for a port-channel virtual interface

Use the show interface Exec command without a keyword to see a list of all interfaces that are programmed on the ACE appliance. A report is provided for each interface that the device supports.

•slot_number—Physical slot on the ACE appliance that contains the Ethernet ports. This selection is always 1, the location of the daughter card in the ACE appliance. The daughter card includes the four Layer 2 Ethernet ports to perform Layer 2 switching.

•port_number—Physical Ethernet port on the ACE appliance. Valid selections are 1 through 4, which specifies one of the four Ethernet ports (1, 2, 3, or 4) associated with the slot 1 (daughter card) selection.

•counters—(Optional) Displays a summary of interface counters for the specified Ethernet port related to the receive and transmit queues.

•port-channel channel_number—Specifies the channel number assigned to a port-channel interface. Valid values are from 1 to 255.

For example, to view the configuration status for Ethernet port 1, enter:

host1/Admin# show interface gigabitEthernet 1/1

GigabitEthernet Port 1/1 is UP, line protocol is UP

Hardware is ACE Appliance 1000Mb 802.3, address is 00:01:02:03:04:06

Description:Ethernet port 3 is configured for speeds of 1000 Mbps

MTU 9216 bytes

Full-duplex, 1000Mb/s

COS bits based QoS is disabled

input flow-control is off, output flow-control is off GigabitEthernet
Port 1/4 is ADMIN DOWN, line protocol is UP

Hardware is ACE Appliance 1000Mb 802.3, address is 00.00.00.00.20.62

MTU 0 bytes

Auto-duplex, Auto-speed

input flow-control is off, output flow-control is off GigabitEthernet

0 packets input, 0 bytes, 0 dropped

Received 0 broadcasts (0 multicasts)

0 runts , 0 giants

0 FCS/Align errors , 0 runt FCS, 0 giant FCS

0 packets output, 0 bytes

0 broadcast, 0 multicast, 0 control output packets

0 underflow, 0 single collision, 0 multiple collision output
packets

0 excessive collision and dropped, 0 Excessive Deferral and
dropped

Note You can configure flow control on each Ethernet port of a Catalyst 6500 series switch. However, the ACE appliance does not support flow control. If you connect an ACE appliance to a Catalyst 6500 series switch, the flow control functionality is disabled on the ACE appliance. The output of the show interface gigabitEthernet command on the ACE appliance displays the "input flow-control is off, output flow control is off"flow-control status line as shown in the example above regardless of the state of flow control on the Catalyst 6500 series switch port to which the ACE appliance is connected.

For example, to view the configuration status for port-channel interface 23, enter:

switch/Admin# show interface port-channel 23

PortChannel 23:

----------------------------

Description:

mode: Access access vlan: 201

status: (ADMIN DOWN), load-balance scheme: src-dst-mac

PortChannel 23 mapped phyport:

Table 1-3 describes the fields in the show interface port-channel command output.

Table 1-3 Field Descriptions for show interface port-channel Command

Field

Description

Description

Configured description for this interface.

mode

Interface switchport type: Access or Trunk.

access vlan

Assigned VLAN to the port-channel interface.

Status

State of the interface: UP or DOWN.

load-balancing scheme

Configured load-balancing method. If you do not configure a load-balancing method, this field displays src-dst-mac, the default scheme on the source or destination MAC address.

PortChannel number mapped phyport

Physical port mapped to the port-channel interface.

For example, to view a summary of interface counters for Ethernet port 3, enter:

switch/Admin# show interface gigabitEthernet 1/3 counters

Table 1-4 describes the fields in the show interface gigabitEthernet command output.

Table 1-4 Field Descriptions for show interface gigabitEthernet counters Command

Field

Description

RX RGMII Packets

Total number of packets received on the Reduced Gigabit Media Independent Interface (RGMII).

RX RGMII Control Packets

Total number of octets transmitted on the RGMII.

RX RGMII DMAC filtered Packets

Number of destination MAC address-filtered packets received on the RGMII.

RX RGMII Dropped Packets

Total number of packets dropped on the RGMII.

Note These packets will also be counted in the RX Packets field.

RX RGMII Bad Packets

Total number of bad packets received on the RGMII.

Note These packets will also be counted in the RX Packets field.

RX RGMII Octets

Total number of octets received on the RGMII. This statistic makes up a 64-bit counter that describes the number of good octets received.

RX RGMII Control Octets

Total number of control octets received on the RGMII.

RX RGMII DMAC filtered Octets

Number of destination MAC address-filtered octets received on the RGMII.

RX RGMII Dropped Octets

Total number of octets dropped on the specified Ethernet port.

RX Packets

Total number of packets received on the specified Ethernet port.

RX Octets

Total number of octets received on the specified Ethernet port. This statistic makes up a 64-bit counter that describes the number of good octets received.

RX Dropped Packets

Total number of packets dropped by the specified Ethernet port.

Note These packets will also be counted in the RX Packets field.

RX Broadcasts

Number of broadcast packets received on the specified Ethernet port.

RX Multicasts

Number of multicast packets received on the specified Ethernet port.

RX Runts

Number of packets that are discarded because they are smaller than the minimum packet size allowed by the ACE appliance.

RX Giants

Number of packets that are discarded because they exceed the maximum packet size allowed by the ACE appliance.

RX FCS/Align Errors

Total number of frame check sum (FCS) errors or nonintegral number of octets (alignment errors).

RX Runt FCS

Total number of runt FCS errors.

RX Giant FCS

Total number of giant FCS errors.

Total Inbound Packets

Total number of inbound packets received by the ACE appliance.

Total Inbound Octets

Total number of inbound octets received by the ACE appliance.

Total Inbound Errors

Total number of inbound packets with errors.

TX Packets

Total number of packets transmitted from the specified Ethernet port.

TX Octets

Total number of octets transmitted from the specified Ethernet port. This statistic makes up a 64-bit counter that describes the number of good octets transmitted.

TX Broadcast Packets

Number of broadcast packets transmitted from the specified Ethernet port.

TX Multicast Packets

Number of multicast packets transmitted from the specified Ethernet port.

TX Control Packets

Number of control packets transmitted from the specified Ethernet port.

TX Underflow Packets

Number of underflow packets transmitted from the specified Ethernet port.

TX Single Collision Packets

Number of times that a transmitted packet encountered a single collision.

TX Multiple Collision Packets

Number of times that a transmitted packet encountered multiple collisions.

TX Excessive Collisions and Dropped Packets

Number of times that a transmitted packet encountered excessive collisions, which resulted in dropped packets.

TX Excessive Deferral and Dropped Packets

Number of times that a transmitted packet encountered excessive deferrals, which resulted in dropped packets.

TX Packets with Size 0-63 Octets

Number of packets transmitted that are from 0 to 63 octets.

TX Packets with Size 64 Octets

Number of packets transmitted that are 64 octets.

TX Packets with Size 65-127 Octets

Number of packets transmitted that are from 65 to 127 octets.

TX Packets with Size 128-255 Octets

Number of packets transmitted that are from 128 to 255 octets.

TX Packets with Size 256-511 Octets

Number of packets transmitted that are from 256 to 511 octets.

TX Packets with Size 512-1023 Octets

Number of packets transmitted that are from 512 to 1023 octets.

TX Packets with Size 1024-1518 Octets

Number of packets transmitted that are from 1024 to 1518 octets.

TX Packets with Size > 1518 Octets

Number of packets transmitted that are greater than 1518 octets.

Clearing Ethernet Interface Configuration Information

You can clear the Ethernet port configuration information displayed through the show interface command, by using the clear interface gigabitEthernet command in Exec mode. The syntax for this command is as follows:

clear interface gigabitEthernetslot_number/port_number

The options and arguments are as follows:

•slot_number—Physical slot on the ACE appliance that contains the Ethernet ports. This selection is always 1, the location of the daughter card in the ACE appliance. The daughter card includes the four Layer 2 Ethernet ports that allow you to perform Layer 2 switching.

•port_number—Physical Ethernet port on the ACE appliance. Valid selections are from 1 through 4, which specifies one of the four Ethernet ports (1, 2, 3, or 4) associated with the slot 1 (daughter card) selection.